The original instrument and the following digest, which constitutes no part of the
legislative instrument, were prepared by Curry Lann.
DIGEST
SB 361 Original 2018 Regular Session Walsworth
Present law defines "personal information" as an individual's first name or first initial and last name
in combination with any one or more of the following data elements, when the name or the data
element is not encrypted or redacted:
(1) Social security number.
(2) Driver's license number.
(3)Account number, credit or debit card number, in combination with any required security
code, access code, or password that would permit access to an individual's financial account.
Proposed law defines "personal information" as an individual's first name or first initial and last
name in combination with any one or more of the following data elements, when the name or the
data element is not encrypted or redacted:
(1) Social security number.
(2) Driver's license number or state identification card.
(3) Account number, credit or debit card number, in combination with any required security
code, access code, or password that would permit access to an individual's financial account.
(4)Passport number.
(5)Biometric data.
Proposed law requires any person that conducts business in the state or that owns or licenses
computerized data that includes personal information, or any agency that owns or licenses
computerized data that includes personal information, to implement and maintain reasonable security
procedures and practices appropriate to the nature of the information to protect the personal
information from unauthorized access, destruction, use, modification, or disclosure.
Proposed law requires any person that conducts business in the state or that owns or licenses
computerized data that includes personal information, or any agency that owns or licenses
computerized data that includes personal information to take all reasonable steps to destroy or
arrange for the destruction of the records within its custody or control containing personal
information that is no longer to be retained by the person or business by shredding, erasing, or
otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
Present law requires notification to be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures
necessary to determine the scope of the breach, prevent further disclosures, and restore the
reasonable integrity of the data system.
Proposed law retains present law and further requires that notification be made within 45 days.
Present law provides that notification is not required if after a reasonable investigation the person
or business determines that there is no reasonable likelihood of harm to customers.
Proposed law repeals present law.
Present law (R.S. 51:1405(A)) declares unfair methods of competition and unfair or deceptive acts
or practices in the conduct of any trade or commerce unlawful.
Proposed law retains present law and provides that violations of the Database Security Breach
Notification Law constitute an unfair practice under R.S. 51:1405(A).
Effective August 1, 2018.
(Amends R.S. 51:3073(4)(a) and 3074)